I created a secret in us-east-1 region. I am able to dynamically reference the secret in CloudFormation stack template deployed to region us-east-1. The command in template looks something like
{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:<accountId>:secret:<secretName>:SecretString:<secretKey>::}}
I have another stack template being deployed to region eu-west-2. The command to resolve the secret looks exactly the same as described above. However, when deploying, I get CloudFormation error
Secrets Manager can't find the specified secret. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceNotFoundException; Request ID: <someId>; Proxy: null)
Based on documentation, it should be possible to resolve secrets from different AWS account when full secret ARN is specified as secret-id. I was not able to find any cross-region information, hence raising the question here.
Am I missing something that I can’t import the secret from same account, but different region? Or is this not supported.
2
Answers
Its not supported. CloudFormation is a regional service, and it can’t reference things from other regions. You would have to create a custom resource in a form of a lambda function. The function could fetch the secret from other region and return it to your template for further use.
You can’t directly reference a cross-region secret, but you can Replicate an AWS Secrets Manager secret to other AWS Regions and reference the replica.
us-east-1template: Replicate the existingus-east-1secret resource using"ReplicaRegions" : [{"Region": "us-west-2"}]. This creates a *synched copy* of the secret in the second region.us-west-2template: set your dynamic reference to the replicated secret inus-west-2.